Configuring WildFly behind a reverse proxy with TLS

MENU

In practice, I typically find myself running WildFly behind an Apache reverse proxy. While configuring Apache is easy, I found the corresponding setup for WildFly hard to find in the depths of its documentation. Simply putting your installation behind the proxy is not enough, you need to perform additional configuration steps to ensure things like UriInfo in JAX-RS work correctly. Here’s a simple 2-step guide:

Step 1

Let’s start by creating a new named configuration for a socket. We’ll name it proxy-https and configure it to use port 443 for TLS. This can be accomplished with the following JBoss CLI snippet:

400: Invalid request

Alternatively, you can add a socket-binding element to the socket-binding-group element in your WildFly configuration (e.g. standalone.xml):

400: Invalid request

Step 2

We enable proxy address forwarding on our HTTP listener in the configuration of the Undertow subsystem and make it use the socket binding we created in Step 1. The following CLI script gets the job done:

400: Invalid request

The corresponding XML configuration looks like this:

400: Invalid request

The full CLI script is available as a gist on GitHub. This example has been tested with WildFly 10, but the setup should be basically the same for other versions. Note that you don’t need a reverse proxy to support TLS on WildFly. See Undertow documentation for more details.